As network communications between computing devices become ubiquitous, users of those computing devices will increasingly perform financial, medical, and other private tasks via such network communications. To protect users, and their private, or otherwise sensitive, information from other, potentially malicious, users, the providers of such services generally require that users verify their identity prior to providing the requested services. Traditionally, a user of a computing device verifies their identity to a remote application, process, or service, through a user identifier, such as a user name, and a password or other secret presumed to be known only by the user and the entity to which the user is attempting to verify their identity. The provision of such a secret is, traditionally, considered to be proof that the user claiming to be the individual identified by the user name, is, in fact, that individual.
Unfortunately, users tend to use both the same identifier and the same secret, such as a password, for multiple service providers. For example, users are often identified by their email address, or their given name, and, in each case, users generally have only one email address or given name that they use. Similarly, to aid their recollection of the secret, users tend to pick the same password for multiple registrations with service providers. In such cases, should a malicious entity obtain a user's password, or other secret, that malicious entity may easily be able to access private and sensitive information about the user from multiple sources, including financial information, medical information, and other like information that can be damaging to the user, or used against the user's best interests.
To protect against such actions by malicious entities, users are often encouraged to select passwords or other secrets that are difficult to obtain through inappropriate means, such as passwords with many characters and numerals, passwords that do not conform to linguistic rules, and other like password selection strategies. Unfortunately, users often ignore such encouragements and select passwords that can be easily guessed or derived, such as words, names, significant dates, or other like data. Users that do select, or are forced to use, secrets that are more difficult to guess or derive find that such secrets are also difficult to remember. Consequently, the user is either likely to decrease their use of the provided service that is protected by such a secret, or they write their secret down, or retain it in another unsecure manner, again rendering it capable of being easily accessed by malicious entities.
In enterprises that often deal with sensitive information that must be kept secure, external hardware devices with a display were produced that could generate, based on a predetermined cryptographic scheme, single use passwords that were both essentially impossible to derive without prior knowledge of the cryptographic scheme, and which, since they were single use, were useless if intercepted and attempted to be used again. The user was provided with such an external hardware device and, when prompted, such as through network communications, to identify themselves, the user would provide identifying information and whatever single use password was displayed by this external hardware device. The receiving entity could confirm the single use password by independently deriving it based on the particular cryptographic scheme being used by the external hardware device provided to that particular user. More specifically, the entity that would ultimately receive these single use passwords and, thereby, provide the user with access to the sensitive information, was the same entity that would provision the external hardware device prior to providing the device to the user. Both the device and the entity were programmed with the same cryptographic scheme, the device was programmatically associated with the user, and then the device was provided to the user through a secure channel, such as by requiring the user to physically present themselves and obtain the device.